RAM Not Clearing - Malware Still Present

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
In this forum, i see quite a lot of questions about what to do when someone's system gets hacked or someone gets remote access from a trojan and how to get rid of that malware. But i didn't see anything about the RAM and malware.

On my asus laptop, i don't think the RAM is fully clearing.

Someone hacked onto my computer the other day when I was using my livedvd debian 9. I had heard previously that a script can be uploaded or some software settings can be modified so that the RAM does not fully clear. There is no hard drive in the computer including when they got malware on my computer the other day, so it is not on the hardrive.

How do i know they got on and are still on? They open new tabs on their own - they open bookmark manager, and click on bookmarks, etc. They are on here.

I fully shutdown the computer without any shortcuts; I do not hit the power key.

So, if they modified the RAM so it does not fully clear, and the malware stays on, what do i need to do to the computer to get it back to "default" whereby the RAM fully clears on shutdown? I just want to get it back to its original RAM settings.

Also, I am running the livedvds on a DVD-ROM drive - so nothing should be able to write to the dvds and they have never been played in any other dvd drive.


asus laptop x555lab 64 bit debian 9 OS
Thank you,
Stephanie
 
Last edited:

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
What you are describing is an impossibility for malware to remain in RAM when computer is shut down and powered off.
If you are using a Debian live cd then nothing can remain when you reboot
This is much more likely to be a hardware issue, unless you have the DVD set to be writable and some malware has written to the cd/dvd and then is loading each time you use the dvd

I suppose it is just possible that the bios or boot loader has been affected

moved to Linux forum
 

Johnny b

John
Joined
Nov 6, 2016
Messages
8,578
I've not used Debian on a Live DVD, but it's probably similar to the Puppy Linux I use in concept.
dvk01 has a point.
If you are saving your sessions when you shut down your computer, it is possible to be writing malicious script to that DVD.

Because Live CD/DVD s need to be updated from time to time, I keep mine writable but unmount after every boot so nothing can be unknowingly written to disk during that session or on shut down.
I do hard shutdowns all the time except for updates.

But once the DVD is infected, it's probably easier to simply burn a fresh Live CD/DVD from install media. And then you'd also be assured it's a clean install.

I also run with out a hard drive and like the concept.
 

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
thanks. first, i'm using the dvd in a dvd-rom - read only so it should be impossible for malware to write to the dvd, yes?

in reading online about the RAM & malware, i kept reading about "programs" being uploaded that affected the RAM clearing, or at least in regards to the RAM. but with no hard drive, where would the programs be permanently installed (permanent unless removed)?

maybe the bios or boot loader 'has' been affected. what would i need to do to the bios or boot loader to get it back to default? i see bios has the 'reset to default settings' options.... if yes, what about the boot loader? where is the boot loader?

thanks again
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
This sounds more like a hardware issue with a sticky key or shortcut key combinations that is opening bookmarks, or just possibly a rogue extension in which ever browser you are using
If the dvd is read only and not writable at all, then unless it is hardware and a sticky key, it would mean that the dvd was compromised somehow on burning.
best advice is download & burn a new copy of debian from a known safe source & use that.
if the problem still exists, then somebody can consider looking deeper. But the likelihood of you being hacked and only your bookmarks affected is so remote that in all reality it can be discounted.

When a computer is powered off, ram is cleared and there are no known ways to keep any data in ram once the power has been turned off.

There are a couple of theoretical exploits where RAM can be read after power off, but that needs physical access to the ram chips and specialised cooling equipment. But that is only workable for a few seconds after power off.

Note: "ram can be read", and theoretically some information retrieved. Not acted upon, Not written, to not able to store anything & make it load when booted.
 
Last edited:

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
thanks. the dvd-player is ROM/ read only, not the disk.

if the boot loader or the bios were affected, could that prevent the RAM from completely clearing? and yes, i do see what you said above about RAM clearing..

1- it's not just bookmarks opening, other tabs that have nothing to do with bookmarks, someone switching the tab being used/ being viewed. still happening...

2- when i shut down i get the following error message:
FAILED: umounting/ lib/live/mount/medium
 
Joined
May 28, 2018
Messages
154
if the boot loader or the bios were affected, could that prevent the RAM from completely clearing? and yes, i do see what you said above about RAM clearing..
The RAM is volatile which means without any energy, the data is lost. Using another OS can rule out any cases that the BIOS/UEFI is affected by a virus. If you really want to make sure the RAM is cleared, disconnect the battery and AC from the computer after it's powered down.

1- it's not just bookmarks opening, other tabs that have nothing to do with bookmarks, someone switching the tab being used/ being viewed. still happening...
Depending on the LIVE Linux distribution that you are using. You have an option to save data to disk. Also, you can save a session. Saving a session records the state of the desktop and any programs that are loaded.

If you think someone hacked, pull the plug to the Internet. If the ghostly actions still happen after you disconnect from the Internet, then the mouse cursor might be jumping around that is caused by bad data packet sync from the computer mouse to your computer or you may have a tainted ISO. Download again from another server. Check the ISO with MD5 and/or SHA1 signature file. The disc could have errors during the burn. I suggest burning at the slowest write speed.

2- when i shut down i get the following error message:
FAILED: umounting/ lib/live/mount/medium
This is a normal message for LIVE Linux distributions loaded from a CD or DVD. There is nothing to be alarmed by this message. If you don't think so, go to that path. It should list the contents of the disc.
 

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
thanks. i am using debian 9 - how would i be able to save a session? if someone got on my computer, could they set the bios or boot loader or something else to "automatically" save the session, thereby keeping potential malware? on the other hand, i am using a dvd-ROM - the dvd player is "read only".

Using another OS can rule out any cases that the BIOS/UEFI is affected by a virus.
Can you explain how this would work? thx.
 

Johnny b

John
Joined
Nov 6, 2016
Messages
8,578
thanks. i am using debian 9 - how would i be able to save a session? if someone got on my computer, could they set the bios or boot loader or something else to "automatically" save the session, thereby keeping potential malware? on the other hand, i am using a dvd-ROM - the dvd player is "read only".


Can you explain how this would work? thx.
As stated before. because you are using a read only DVD player, nothing can be written to your DVD, thus nothing can be saved to that DVD.

Could you have malware saved to the firmware of your hardware? Possible but unlikely.
Could there be an intrusion of your router and DNS settings changed? Also possible.

Start with the easy diagnosis first.
Convenient with your current hardware configuration, would be a version of Puppy Linux burned to a DVD as a Live OS, just as you seem to have done with Debian.
If the problem persists with Puppy, your problem is likely hardware oriented.

imo, a good Puppy distro is Xenialpup 7.5
You can download it here:
http://distro.ibiblio.org/puppylinux/puppy-xenial/64/
 

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
someone burned a copy of the puppy dvd - i'll try it and see. thx.
 

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
ok, tried it - exact same problem. so i am back on the deb 9. i noticed though that they weren't on right away when i switched os's.

right or wrong, this is what i think may be happening. simply, i think they are hacking the os. i was told by someone to make sure that my deb9 os is NOT defaulting to admin #. to see i had to type in 'sudo -s' and see if it goes straight to #.... and it did. when i first turn on the livedvd, what can i do to make the os NOT default to admin. i was told that it takes longer to much longer for someone to get on if the os is not set to admin. even if it is malware in the firmware, i would still like to set this up. right now, this is the most important thing i really want to do. any help is appreciated.

i also see in account settings, it says "automatic login". i imagine upon loading the deb9 dvd, i should disable that.
 

managed

Allan
Moderator
Joined
May 24, 2003
Messages
15,087
See if the same problem occurs when you are not connected to the internet and using a clean OS you just downloaded and burned to CD/DVD. If it happens then it's a hardware problem.
 

plodr

Liz
Joined
Jun 27, 2014
Messages
23,730
Someone hacked onto my computer the other day when I was using my livedvd debian 9.
Are you behind a router? If so, someone would have to hack your modem and router to get a connection and know the IP of your computer BEFORE he/she could proceed to hack the computer.

As soon as the live DVD or USB stick is removed, all the malware is gone.

So what would be the point of hacking into a computer behind a hardware firewall on an OS that loads into RAM? Truthfully, it would be a waste of time for a hacker because nothing is gained.
 

hv55

Thread Starter
Joined
Jun 15, 2018
Messages
29
'managed': when offline, no problems. thanks
'plodr': yes, to an extent. my understanding is that once they have hacked the modem and router, and know the IP, in the future when trying to hack the OS, they would be able to breeze through this part and go right to hacking the OS. On the other hand, I know this sociopath wants to get on my computer to see where I apply for jobs, etc, so she will spend the time having her son do it, even though once they hack the OS, and I shut off, they would have to start all over.
QUESTION: "when i shut off" - is it true that by me just unplugging the ethernet cord from the computer - that if they are trying to hack the OS, that they have to start over once I pull the ethernet cord (while i am online)? I realize if they are ALREADY on, it doesn't matter. this is important for me to know since I am under the impression that once i pull that ethernet cord, they are back to square zero as far as working on the OS (not modem, etc).
 
Joined
May 28, 2018
Messages
154
When using consumer network equipment, the router is the firewall. The modem doesn't have a firewall. If you haven't changed the administrator password of the router then this problem is your fault. Also updating the firmware of the router helps decrease vulnerabilities. Turn off the router will erase whatever backdoor the hacker has placed. If your ISP uses dynamic IP address, turning off the modem and router before going to bed and turn these devices on when you wake up, the ISP should give you a different IP address. Unfortunately, next person that gets IP address that you were using will have the same problem you are experiencing. Hopefully, the ISP is monitoring the traffic and stops the hacker. You may want to notify the ISP about the hacking problem.

There is a possibility that one of your computers is compromised and the hacker is using for the attacks. Disconnect or better turn off the modem and use Wireshark. Use Wireshark to monitor any information that is phoning home outside your network.

The only way to get hacked if you have visited a malicious website. Another possibility is you download a program and it installs any extra program without you knowing. These days do a custom install to be sure nothing extra is installed but the program that you downloaded. It does help to manually scan the file you downloaded for viruses before installing and running them.

In your router settings, you can use OpenDNS servers instead of what your ISP gives you. OpenDNS will protect any computers on your network from visiting malicious websites. It is free, so keep in mind it won't be perfect.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top